Skip to main content

Passphrases – What/Why/How?

bitcoin backups

The default backup for a typical Bitcoin wallet today consists of a mnemonic seed which is typically 12, 18 or 24 words in length and chosen from a universally agreed upon list of 2048 words. With this mnemonic seed you can move or recover your bitcoin into any other BIP39 compatible wallet (hint – they pretty much all are!).

Thankfully it is now common practice for Bitcoiners to store their mnemonic seed using a robust metal backup method to ensure their bitcoin is not lost in the case of disaster. But these storage methods pose a new problem to solve, what happens if someone were to find the metal backup? Your mnemonic seed, in clear text, ripe for picking to the first person that lays their eyes on it!

Sure, you could opt to use a multisig solution where a single mnemonic seed phrase does not give access to your bitcoin, but that poses many other considerations (to be covered in a future article), first amongst which is drastically increased complexity. You could also opt to use an encrypted backup which is perfectly resistant to physical attacks but does not offer the same assurances against fire or water.

Enter passphrases…


What are Passphrases

A passphrase is an additional word or combination of words that can be added to your mnemonic seed as an additional layer of security against physical attacks. A passphrase can be as short or as long as you like and can contain any combination of letters (upper and lower case), numbers or special characters. Passphrases are case and order sensitive, for example Passphrase123, 123passphrase, passphrase123 and 123Passphrase will all result in completely different wallets, each with their own unique list of addresses.

 

 

A passphrase is never stored on your signing device and will need to be entered every time you want to manage the passphrase protected wallet – fortunately Passport makes long passphrase entry simple thanks to its keypad design. Your passphrase does not replace your mnemonic seed; it is used in addition to it. If you decide to use a passphrase to protect your bitcoin, you need both your seed and your passphrase to recover funds.


should you use a passphrase?

There are two main benefits for users that choose to implement a passphrase, plus an optional third that comes with a little extra complexity.

1. Physical Attack Protection – If using a passphrase protected wallet and an attacker were to find your mnemonic seed backup, the attacker does not gain access to your bitcoin.

2. Plausible deniability – If using a passphrase protected wallet and an attacker were to hold you hostage until you gave up your bitcoin, you could have previously loaded a small amount onto the wallet without the passphrase (i.e. just your seed words). Telling the attacker where the mnemonic backup is, and allowing them to find this small amount may be enough to stop any further attack whilst the majority of your bitcoin is held safely within the passphrase protected wallet the attacker doesn’t know exists.

3. Separate Wallets – Some more advanced users may also use multiple different passphrases as a method of separating out their different pots of bitcoin. This could be for short/long term savings or for ensuring that separating KYC and noKYC funds never get merged together to protect the users privacy. It’s worth noting that the same effect can be achieved using the accounts feature on Passport.


passphrase considerations

Whilst passphrases offer many great benefits, particularly from a security standpoint, users must be aware of the considerations and pitfalls of using a wallet with passphrase protection.

1. Short Passphrases – Short 1 or 2 word passphrases from the BIP39 list or the dictionary are next to useless and can be brute forced by even modest attackers. Ensure you use a minimum of four words with numbers and/or characters being an additional bonus.

 

 

Estimated time taken to brute force different length passphrases chosen from the BIP39 word list. By Coldbit.

2. Long Passphrases – Longer passphrases are exponentially more secure, but remember, you need to enter this into your signing device every time you want to manage or spend from that wallet. If your signing device makes text entry a chore, the likelihood is you just won’t use it, or even worse, you might enter it incorrectly and cause yourself hours of confusion trying to work out why the addresses being generated don’t match those expected.

3. Storing a Passphrase – Your passphrase is part of your bitcoin backup. No passphrase, no bitcoin recovery. For obvious reasons the passphrase should not be stored in the same location as the mnemonic seed, so consideration must be made to a separate, secure storage location and medium. Imagine your metal seed backup survives a flood but the passphrase you jotted down on paper doesn’t!  No passphrase, no bitcoin recovery!

4. Inheritance – Extra security is great, but will your loved ones know what to do with your passphrase in the event that you are no longer around? Would they even be able to find it?


using a passphrase with passport

So, you’ve weighed up the pros and cons and decided to protect your wallet with a passphrase, smart move! Here’s how you can do that easily using Passport.

https://youtu.be/xo6UULwmgMw

 

To apply a passphrase simply head to Settings > Advanced > Passphrase. Here you can opt to set a passphrase or enable the device to prompt you to enter one each time it boots (useful for users that always use passphrase protected wallets) or you can press ‘Set Passphrase’.

Next, enter your desired passphrase carefully then press continue and double check you have entered the passphrase correctly.

Any time a passphrase protected wallet is active on Passport, it will be denoted by a small ‘P’ in the top left corner.

DO NOT USE THE PASSPHRASE SHOWN

This applied passphrase will be active until Passport is turned off or the user manually clears the passphrase using the exact same method as above. If after reading this post you decide you want to add passphrase protection to your bitcoin storage setup, you will need to activate the new wallet using the process detailed above then export that new wallet to your chosen software wallet. From there you can clear the passphrase and send from your old (non passphrase) wallet across to the addresses controlled by your new passphrase protected wallet.